Ransomware creators deploy more than just one way to trap their victims. These include malicious email attachments, infected links, malvertising, and exploit kits.
However, over the past few weeks, we have been observing criminals using a new carrier to deliver the ransomware malware. It mainly affects Windows Server Operating Systems.
The Troldesh ransomware (also known as XTBL) is being spread and executed by criminals by directly gaining access to the victim’s computer through Remote Desktop. By default, Windows Remote Desktop will work only on a local network unless configured otherwise on a router or H/W firewall. This is usually seen in organizations where systems (usually servers) are accessed from multiple branches for various tasks. This explains why most of the affected systems are Windows Server OS.
Remote access to the victim’s computer is gained by using brute-force techniques which can effectively crack weak passwords. The use of this technique is nothing new but its usage as a widespread campaign for spread ransomware is.
Typically, a brute-force attack scans IP ranges and TCP ports (3389 in the case of RDP) which are open for connection. Once an attacker finds a port, they launch the attack. The brute-force technique uses a trial and error password guessing attack with a list of commonly used credentials, dictionary words, and other combinations. Once the access is gained, criminals simply disable the system’s antivirus and run the payload directly. This means, even if the antivirus is updated and has a detection against the malware, turning off its protection renders the system defenseless.
After the encryption, names of the affected files get appended with a uniqueID-EmailID- and .xtbl or .CrySIS extension.
Ransomware creators make use of two essential elements – a public key for encrypting the victim’s files and a private key for decrypting the files. It is the private key that a victim needs to buy (by giving the ransom demanded by the attacker) in order to decrypt the files. Without this key, the decryption is impossible.
In almost all cases, once a system gets infected by a ransomware, getting back the encrypted files is impossible. Hence the best solution is prevention. Here is one of our blog posts on how to prevent ransomware attacks – http://blogs.quickheal.com/how-to-prevent-ransomware-from-locking-your-pc
There are other security practices that users should follow against ransomware attacks and to protect their accounts from brute-forcing.
– Use strong and unique passwords on user accounts that cannot be easily breached. Weak passwords like Admin, admin123, user, 123456, password, Pass@123, etc., can be easily brute-forced in the first few attempts itself.
– Configure password protection for your security software. This would prevent any unauthorized users from disabling or uninstalling it. Quick Heal users can enable this feature from the Settings => Password Protection.
– Disable the Administrator account and use a different account name for administrative activities. Most brute-force attempts are done on an Administrator user account as it is present by default. Also, remove any other unused or guest accounts if configured on the system.
– Change the default RDP port from ‘3389’ to something else. Although a complete port scan would still show the open ports, this would prevent attacks that are targeting only the port 3389 by default.
– Configuring Account Lockout Policies that automatically lock the account after a specific number of failed attempts. This feature is available in Windows and the threshold can be customized as per the administrator.
– Keep your antivirus updated all the time and ensure all security features are ON. Quick Heal proactively detects and blocks the Troldesh/XTBL variants that are being spread through this new vector.
Subject Matter Expert – Lishoy Mathew (Analyst, Quick Heal Threat Research and Response Team)